From 211576e9ed72d6f9aaed05ce579bf8a6e03938ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Conall=20=C3=93=20Cofaigh?= <ocofaigh@ie.ibm.com>
Date: Thu, 31 Oct 2024 10:13:43 +0000
Subject: [PATCH] feat: updated the KMS auth policy created by the module so
 its scoped to the exact KMS Key. NOTE: This will delete and re-create any
 existing auth policy, however it will create before delete so there will be
 no disruption to services. (#764)

---
 .secrets.baseline |  2 +-
 main.tf           | 45 ++++++++++++++++++++++++++++++++++++---------
 2 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 4897158d..e34fec37 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-10-15T12:23:07Z",
+  "generated_at": "2024-10-30T15:05:28Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
diff --git a/main.tf b/main.tf
index 9d44873e..62f1da0e 100644
--- a/main.tf
+++ b/main.tf
@@ -97,12 +97,11 @@ locals {
   cos_instance_name        = var.create_cos_instance ? ibm_resource_instance.cos_instance[0].name : null
   cos_instance_crn         = var.create_cos_instance ? ibm_resource_instance.cos_instance[0].crn : null
   create_access_policy_kms = var.kms_encryption_enabled && var.create_cos_bucket && !var.skip_iam_authorization_policy
-  kms_service = local.create_access_policy_kms ? (
-    can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : (
-      can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null
-    )
-  ) : null
-
+  parsed_kms_key_crn       = var.kms_key_crn != null ? split(":", var.kms_key_crn) : []
+  kms_service              = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null
+  kms_scope                = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null
+  kms_account_id           = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null
+  kms_key_id               = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null
 }
 
 # Create IAM Authorization Policy to allow COS to access KMS for the encryption key
@@ -110,10 +109,38 @@ resource "ibm_iam_authorization_policy" "policy" {
   count                       = local.create_access_policy_kms ? 1 : 0
   source_service_name         = "cloud-object-storage"
   source_resource_instance_id = local.cos_instance_guid
-  target_service_name         = local.kms_service
-  target_resource_instance_id = var.existing_kms_instance_guid
   roles                       = ["Reader"]
-  description                 = "Allow the COS instance with GUID ${local.cos_instance_guid} reader access to the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}"
+  description                 = "Allow the COS instance ${local.cos_instance_guid} to read the ${local.kms_service} key ${local.kms_key_id} from the instance ${var.existing_kms_instance_guid}"
+  resource_attributes {
+    name     = "serviceName"
+    operator = "stringEquals"
+    value    = local.kms_service
+  }
+  resource_attributes {
+    name     = "accountId"
+    operator = "stringEquals"
+    value    = local.kms_account_id
+  }
+  resource_attributes {
+    name     = "serviceInstance"
+    operator = "stringEquals"
+    value    = var.existing_kms_instance_guid
+  }
+  resource_attributes {
+    name     = "resourceType"
+    operator = "stringEquals"
+    value    = "key"
+  }
+  resource_attributes {
+    name     = "resource"
+    operator = "stringEquals"
+    value    = local.kms_key_id
+  }
+  # Scope of policy now includes the key, so ensure to create new policy before
+  # destroying old one to prevent any disruption to every day services.
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # Create random string which is added to COS bucket name as a suffix